This is documentation to create integration between Windows Event Subscription and SEM / LEM agent. You might be thinking, why would I want to do that if I could install the agent directly to each Windows System. The use case will be simply for: 1. if I want to centralize my Windows event collection from one place 2. if you're not allowed to run agents on all Windows Servers 3. if you're not allowed to open some proprietary ports for agent communication Please keep in mind, if you're not installing the SEM agent onto the Windows Server directly, you will miss some benefits. Please refer to Success Center Let's get to the point if you're veteran Windows admins, configuring Event Subscription is not something new, you might want to skip to the integration with SEM / LEM on the later stage. Windows Event Subscription will use WinRM with Collector Initiated SEM will use default agent and connectors. Background setup for this documentation, there are 2 servers on the same Windows domain: Event Source Server (lab-apac-dc01) Event Collector Server (lab-apac-kss01) Setting up the Event Source (as admin) Run WinRM: winrm qc -q Run GPO Editor: %SYSTEMROOT%\System32\gpedit.msc Computer Configuration - Administrative Templates - Windows Components - Event Forwarding Enable the Subscription Manager and add the Event Collector Apply the GPO: gpupdate /force Header 1 Header 2 Header 3 Setting up the Event Collector (as admin) Run WinRM: winrm qc -q Run Event Collector Service: wecutil qc /q Run Windows Event Viewer: eventvwr.exe Create Subscription - Collector Initiated Destination log would be recommended on the same Event Types (e.g: System) Header 1 Header 2 Event to collect: Query Filter - Last Hour - Event Level (anything OR all) - Event Logs: System Note: create other subscription for other event logs. Configure User Account with Event Log Readers. Verify Event Subscription works on Collector Look at System Events and look for events from Event Source computers. Setting up SEM Agent on Event Collector Refer to Deploying the LEM Agent Verify Event Collector Server on SEM Nodes list ( SEM Node License is required ) Configure Windows System Connector on Event Collector Server Verify the Event Source Server in the SEM Nodes List ( SEM Node License is required ) Verify Event Subscription works on SEM Web UI Insertion IP = Event Collector Server Detection IP = Event Source Server

This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Windows Event Subscription with SEM / LEM Agent

IndoMie over 4 years ago

This is documentation to create integration between Windows Event Subscription and SEM / LEM agent.

You might be thinking, why would I want to do that if I could install the agent directly to each Windows System.

The use case will be simply for:

1. if I want to centralize my Windows event collection from one place

2. if you're not allowed to run agents on all Windows Servers

3. if you're not allowed to open some proprietary ports for agent communication

Please keep in mind, if you're not installing the SEM agent onto the Windows Server directly, you will miss some benefits.

Please refer to Success Center

Let's get to the point if you're veteran Windows admins, configuring Event Subscription is not something new, you might want to skip to the integration with SEM / LEM on the later stage.

Windows Event Subscription will use WinRM with Collector Initiated

SEM will use default agent and connectors.

Background setup for this documentation, there are 2 servers on the same Windows domain:

Event Source Server (lab-apac-dc01)
Event Collector Server (lab-apac-kss01)

Setting up the Event Source (as admin)

Run WinRM: winrm qc -q
Run GPO Editor: %SYSTEMROOT%\System32\gpedit.msc
Computer Configuration - Administrative Templates - Windows Components - Event Forwarding
Enable the Subscription Manager and add the Event Collector
Apply the GPO: gpupdate /force

Header 1	Header 2	Header 3

Setting up the Event Collector (as admin)

Run WinRM: winrm qc -q
Run Event Collector Service: wecutil qc /q
Run Windows Event Viewer: eventvwr.exe
Create Subscription - Collector Initiated
Destination log would be recommended on the same Event Types (e.g: System)

Header 1	Header 2

Event to collect: Query Filter - Last Hour - Event Level (anything OR all) - Event Logs: System
Note: create other subscription for other event logs.

Configure User Account with Event Log Readers.

Verify Event Subscription works on Collector

Look at System Events and look for events from Event Source computers.

Setting up SEM Agent on Event Collector

Refer to Deploying the LEM Agent
Verify Event Collector Server on SEM Nodes list (SEM Node License is required)

Configure Windows System Connector on Event Collector Server

Verify the Event Source Server in the SEM Nodes List (SEM Node License is required)

Verify Event Subscription works on SEM Web UI

Insertion IP = Event Collector Server
Detection IP = Event Source Server